Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
4-1
Copyright 2005 Juniper Networks, Inc.
www.juniper.net
Policy Check
A -> C
VSYS
R.T.
Interfaces
Zones
R.T.
Policy
E1
E2
Zone A
E3
E4
E5
Zone B
E6
Zone C
E7
E8
Zone D
Virtual Router
Forwarding Table
Virtual Router 1
Virtual Router 2
Virtual System
Flow
SRC-IP
1.2.3.4
DST-IP Protoco
5.6.7.8 6l
SRCPort
1234
DSTPort
80
Session
SRC-IP
5.6.7.8
DST-IP Protoc
1.2.3.4 ol
6
SRCPort
80
DSTPort
1234
Zone
Individual configuration
parameters are
assigned to interfaces
IP addresses
Management services
Others
Interface
IP
Virtual Router
Zone
Int.
Zone
VR
VR
Zone assignment
IP address
Subnet mask
Routing table
entries
Static routes
Default route
Initial policy
IP
CLI
WebUI
Static Route
Routing table entry of the upstream router
Name of the interface
IP address of the next-hop gateway
Configuration
CLI
WebUI
Policy
Create open policy for initial connectivity
Allows you to verify connectivity through the
device without any policy concerns
Configuration
CLI
WebUI
Network services:
DNS
NTP
Management Services
If you do not specify a service in the CLI command,
all services are enabled
Configuration
CLI
WebUI
10
Manage IP Address
Separate IP address specifically for
management
Configuration
CLI
WebUI
11
Permitted IP Addresses
Configuration
CLI
WebUI
12
DNS Configuration
DNS 1
DNS 2
Schedule
Parameters
IP address of primary DNS server
IP address of secondary DNS
server
hh:dd to update resolved
addresses
Configuration
CLI
set
set
set
set
WebUI
dns
dns
dns
dns
host
host
host
host
dns1 ip_address
dns2 ip_address
dns3 ip_address
schedule hh:mm
13
NTP Configuration
Parameters
Server
Interval
Maximum
Adjustment
Configuration
CLI
set
set
set
set
WebUI
ntp
ntp
ntp
ntp
server name
server src-interface name
interval seconds
max-adjustment seconds
14
Internal Management
Counters
Hardware
Flow
Policy
SCREEN
Logs
Event
Traffic
Self
Alarms
Device
Traffic
2008 Juniper Networks, Inc. All rights reserved.
15
Interface CountersHardware
Group1-SSG1-> get counter statistics interface e0/0
Hardware counters for interface ethernet0/0:
in bytes
14774934 | out bytes
8482094
in packets
166106 | out packets
89112
in no buffer
0 | out no buffer
0
in overrun
0 | out underrun
0
in coll err
0 | out coll err
0
in misc err
0 | out misc err
0
in dma err
0 | out bs pak
0
in crc err
0 | out discard
0
in align err
0 | out defer
0
in short frame
0 | out heartbeat
0
Hardware 64-bit counters for interface ethernet0/0:
in bytes
14774934 | out bytes
in ucast
165276 | out ucast
in mcast
0 | out mcast
in bcast
0 | out bcast
|
|
|
|
|
|
|
|
|
|
early frame
late frame
re-xmt limit
drop vlan
out cs lost
0
0
0
0
0
8482094
89112
0
0
16
Interface CountersFlow
FW> get counter flow interface e0/0
Total flow counters for interface ethernet0/0:
in bytes
14774934 | out bytes
7966328
in packets
166106 | out packets
89112
in vlan
0 | out vlan
0
out permit
257080 | src route
0
ping of death
0 | no gate sess
0
in icmp
5 | no nat vector
0
in self
0 | no map
0
in un-auth
0 | no conn
0
in unk prot
0 | no dip
0
in vpn
35964 | no gate
0
in other
0 | no xmit vpnf
0
no mac
0 | no route
0
mac relearn
0 | no frag sess
0
slow mac
0 | no frag netpak
0
trmng queue
0 | no sa
0
trmng drop
0 | no sa policy
0
tiny frag
0 | sa inactive
0
syn frag
0 | sa policy deny
0
connections
0 | policy deny
0
misc prot
0 | auth deny
0
loopback drop
0 | big bkstr
0
mal url
0 | sessn thresh
0
null zone
0 | no nsp-tunnel
0
first pak frag
0 | unknown pak
0
multi-DIP drop
0 | app link down
0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
tcp proxy
tear drop
in permit
no g-parent
address spoof
land attack
icmp flood
udp flood
winnuke
port scan
ip sweep
tcp out of seq
wrong intf
wrong slot
icmp broadcast
illegal pak
url block
encrypt fail
mp fail
auth fail
proc sess
invalid zone
IP cls failure
multiauth drop
0
0
3223478
0
0
0
0
0
0
0
0
0
0
0
0
8
0
0
0
0
0
0
0
0
17
Event Log
FW-> get event
Date
Time
Module Level Type Description
2006-08-26 11:04:45 system notif 00002 Admin User "netscreen" logged in for
Web(http) management (port 80) from
10.120.1.189:3043
2006-08-26 11:00:31 system warn 00515 Admin User netscreen has logged on via
console
2006-08-26 10:59:14 system info 00551 NSRD won't start because gateway has
configuration.
2006-08-26 10:59:14 system notif 00767 System was shut down at 2003-08-26 10:
2006-08-26 10:59:14 system notif 00767 System was shut down at 2003-08-26 10:
18
19
ScreenOS Software
Severity
Critical
Emergency
Alert
Major
Critical
Minor
Error
Warning
Warning
Info
Notification
Information
20
Log Settings
21
22
23
24
DNS Configuration
DNS 1
DNS 2
Schedule
Parameters
IP address of primary DNS server
IP address of secondary DNS
server
hh:dd to update resolved
addresses
Configuration
CLI
set
set
set
set
WebUI
Security
Manager
dns
dns
dns
dns
host
host
host
host
dns1 ip_address
dns2 ip_address
dns3 ip_address
schedule hh:mm
25
NTP Configuration
Parameters
Server
Interval
set
set
set
set
WebUI
Security
Manager
ntp
ntp
ntp
ntp
server name
server src-interface name
interval minutes
max-adjustment seconds
26
SNMP Parameters
Parameters
Contact
Name of contact
Location
Name of location
Port
Community Name
Community Version
Community Host
IP address
IP address
27
SNMP Configuration
Configuration
CLI
set
set
set
set
set
set
set
WebUI
Security
Manager
snmp
snmp
snmp
snmp
snmp
snmp
snmp
contact name
location name
port [listen | trap] port
community name [trap-on | trap-off]
community name version [v1 | v2c]
host community-name ip_address src-interface name
host community-name ip_address trap version
28
SNMP ConfigurationWebUI (1 of 2)
29
SNMP ConfigurationWebUI (2 of 2)
30
Syslog Configuration
Parameters
config ipaddress and
facility
config log
Configuration
CLI
set
set
set
set
WebUI
Security
Manager
syslog
syslog
syslog
syslog
31
Installing keys
Automaticregister device at Juniper Networks Web site,
then download licenses
FW> exec license-key update
32
File Management
Store and retrieve critical files used by the
Juniper Networks device
ScreenOS image
Configuration files
File locations:
33
WebUI:
Saves automatically when you click Apply or OK
Console displays save messages
Security Manager:
Saves to Security Manager database
Policies and VPNs must be saved manually
Configuration not automatically loaded on device
34
Restoring configuration
Option 1: copies file into flashavailable at next reboot
save config from [tftp address | pcmcia | slot1] filename to flash
FW-> save config from tftp 1.1.7.250 15June06.cfg to flash
35
36
Configuration Rollback
Provides safety net for failed or corrupted
configurations
If default configuration in flash memory cannot be
loaded, the system tries to load last known good
file
Can manually force system to correct
configuration mistakes
FW-> save config to last-known-good
Rollback
commands:
FW-> exec config rollback enable
**Make any CLI changes**
FW-> reset
**Make sure device is working**
FW-> exec config rollback disable
37
38
Upgrade ExampleCLI
FW-> save software from tftp 1.1.7.250 newimage.bin to flash
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
tftp received octets = 3304662
tftp success!
TFTP Succeeded
Save to flash. It may take a few minutes ... update new flash image (02c86db0,33
04662)
platform = 17, cpu = 10, version = 16
offset = 20, address = 900000, size = 3304584
date = 0, time = 0, cksum = 28e9f31c
Program flash (0,3304662) ...
++++++++++++++++++++++++++++++++++++++++++++++++++done
Done
FW-> reset
39
Upgrade ExampleWebUI
40
Disaster Recovery
Juniper Networks devices support features to
deal with electronic disasters including:
Corrupted ScreenOS image in flash memory
Lost root password
Procedure to reset to factory defaults
41
device
Connect to default
management interface
42
43
44